scanning-docker-images-with-trivy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill (scripts/process.py and scripts/agent.py, plus SKILL.md examples) runs Trivy against arbitrary public registry images (e.g., "trivy image python:3.12-slim", registry examples like Docker Hub/GCR/ECR and the IMAGES gathered via kubectl) and downloads public vulnerability databases (--download-db-only), then parses Trivy's JSON results to make policy/gating decisions, so untrusted, user-generated content from public images and external DBs is ingested and can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The GitHub Actions workflow in the skill includes "uses: aquasecurity/trivy-action@master", which causes the runner to fetch and execute code from the remote repository at https://github.com/aquasecurity/trivy-action during workflow runtime, so this is a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly includes sudo-based installation steps that modify system files (e.g., /etc/apt/sources.list.d and /usr/share/keyrings) and thus directs the agent to change the host system state.